Saturn Ransomware

Saturn Ransomware, discovered by MalwareHunterTeam, targets Windows OS and its method of distribution is currently unknown. Once a system is infected and prior to executing any commands, Saturn Ransomware checks to see if the victim is running a virtual machine and if detected, the process will be terminated. Saturn Ransomware deletes volume shadow copies, disables Windows startup repair, and clears Windows backup catalog. It appends .saturn to the names of encrypted files. Ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt are placed into every folder where files have been encrypted along with a key file named #KEY-[id].KEY, which contains a link to the TOR browser. Victims are required to upload the key file through TOR in order to receive further instructions. At the time of writing, Saturn Ransomware demands the equivalent of $300 USD in Bitcoin for decryption services. Additionally, the Windows desktop of an infected machine will display a black screen with text similar to the ransom notes and a file named #DECRYPT_MY_FILES#.vbs will result in prerecorded audio to play on the affected device.

2/18/2018: Saturn Ransomware is currently available on the Dark Web via Ransomware-as-a-Service (RaaS) portal. If users register for the program they can download the ransomware and embed it in another file, such as an EXE or PDF, for free. If victims are infected with ransomware generated via the Saturn Ransomware RaaS portal, the users who created the malicious file will receive 70% of the total ransom payment and the Saturn Ransomware creators will receive 30%.

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.